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ABSTRACT 

There are a lot of on going efforts in the research commu¬ 
nity as well as industry around providing privacy-preserving 
and secure storage for personal data. Although, over time 
it has adopted many tag lines such as Personal Informa¬ 
tion Hub [12], personal container [8], DataBox [4|, Personal 
Data Store (PDS) [3] and many others, these are essentially 
reincarnations of a simple idea: provide a secure way and 
place for users to store their information and allow them to 
provision who has access to that information. 

In this paper, we would like to discuss a way to facili¬ 
tate access control mechanism (AC) in the various “personal 
cloud” proposals. 

1. INTRODUCTION 

Personal information storage is the something we seem to 
take for granted. Today, we choose to store our data in var¬ 
ied “clouds” because we love the simplicity and convenience 
these services provide. However, this flourishing relation¬ 
ship relies on the implicit trust between users and service 
providers that users’ privacy will remain intact. While of¬ 
ten we choose to believe that (major) service providers are 
the good guy^, recent cases, where this trust was broken, 
are forcing us to realize that things are not as rosy as they 
might seem . We gradually become aware of the fact that 
our information is being exploited by the big cooperations 
for a relatively low price—free service. 

How to ensure the our information is safe and how to 
(re)gain control? These questions are currently preoccupy 
many researchers. The answers are not trivial and will prob¬ 
ably require a clean-slate approach in how we build and 
manage our information systems. In addition to exploring 
new business models [9] and incentives to change the general 
behavior of everyone involved. 

Recent efforts [121 El IH E] look at facilitating “personal 
clouds” to store users’ data. While many seem to agree 
that such approach can offer a viable alternative, questions 
on how such systems should be designed and implemented 
remain open. 

On one extreme, works like [2] offer a completely decen¬ 
tralised cloud using P2P-based approach: storage is crowd- 
sourced from a pool of participating users. This approach re¬ 
quires strong incentive schemes to reach critical mass. Alter¬ 
natively, we can also use various cryptographic approaches 

^This despite explicit statements by some of the services 
that their business models are mainly depend on going 
through our private information. 


to help us secure our information. But one can never be 
sure, so other approaches [I] employ secret sharing tech¬ 
niques to split and spread content’s chunks across different 
third party clouds. Although, it prevents any single third 
party from obtaining the whole content, this approach limits 
the access control to share all or nothing options. 

However, what if the goal is to share parts of the informa¬ 
tion? Users might want to share some of their information 
with a third party to benefit from its services. 

In this paper we propose an approach for provisioning 
third party access to the bits released by the user. Our 
approach is based on snapshots, we call them “immutable 
views”. The views are created by running a query against a 
personal information space. The result is an immutable view 
containing only the information that the requester (and only 
him) can “see”. The requester only deals with views, raw in¬ 
formation is never retrieved. This means that immutable 
views can be shared and stored by a third party without 
compromising user’s privacy—since only the authorized re¬ 
quester can query it. 

We believe, the ideas described in this paper can be lever¬ 
aged by many of the ongoing efforts, however, our implemen¬ 
tation aligns well with the platform offered by the European 
User-Centric Networking project [12]. In particular, our sys¬ 
tem uses Irmin m, a git-like distributed store and Mirage 
OS [ 3 . Nonetheless, our current implementation |13 | is pro¬ 
grammed to support other backends. 

2. INFORMATION SHARING 

Our AC model is based on Moana m service abstraction. 
Moana provides a graph-based service abstraction and infor¬ 
mation model. The Moana service model exposes two func¬ 
tions ADD and MAP. The ADD function annotates the graph, 
while the MAP function is a standing graph query on the 
global information space. 

AC model. As depicted by Figure [T] the AC model 
comprises three conceptual views. The first view from the 
bottom—global information space (CIS)—contains all the 
facts and made assertions. Note that assertions also include 
the policies used to determine what gets through to the sec¬ 
ond view. The second view, is a result of a query, referred by 
us as policy MAP, onto the first view for all the information 
the requester can access. Finally, the last view is specific to 
the requester’s query, we refer to it as an interest MAP. 

In other words, any request triggers a chain of MAP opera¬ 
tions that narrows down the information scope accessible to 
the requester. 

Protocol. In layman’s terms, we propose git inspired 




Figure 1: Three layers of AC control 

protocol for sharing information which enforces the above 
AC model. To store information, the user will init a master 
information repository (IR), which will store all of its infor¬ 
mation. This essentially creates the first view, which the 
owner can populate with relevant AC polices. A third party 
service that would want to access it for their purposes will 
need to clone it into a local view. “Clone” operations rely 
on the policy MAPs in the AC model. This ensures that only 
permitted information is cloned. The third party service 
is then left with a “copy” they can use for querying (using 
interest MAPs) and running their algorithms. It is worth not¬ 
ing again that the query doesn’t return any raw information, 
rather an immutable view wrapped in a sandbox container 
that can only be queried according to the specified AC poli¬ 
cies. This is similar to SafeAnswers proposal in [3], which 
only returns answers to the requester, not raw metadata. 
For view updates, the ADD function is used, which creates a 
new immutable instance of a view. An updated view from 
the master repository will be pulled and new view instances 
created by third parties will be pushed to the master repos¬ 
itory, following respective merge of the views. 

Social network example. To illustrate intuitively how 
we can use this protocol, let’s consider how a simple so¬ 
cial network can be implicitly built on top of it. Our social 
network follows a simple model: users have followers, who 
are permitted to get updates e.g., on new photos, status 
updates, events, etc. They can also comment on users’ con¬ 
tent. Users publish new information such as events, photos 
and status updates to their personal IR. The repository, as 
previously mentioned, contains and enforces the AC policies 
describing who can see what. Users’ followers, those who 
wish to obtain his content will clone the repository. Con¬ 
sequently, similar to git, the followers will be able to pull 
updates from the master IR and also push (if permitted) 
their comments, as a new view instance, to be merged with 
the master view. 

Implementation. For our system design we are look¬ 
ing at leveraging some recent work into unikernels [B] based 
on Mirage OS [7]. In particular, we envision IRs served us¬ 
ing unikernels. Unikernels are virtual machines that run 
specialised Operating System (OS) to support individual 
software components. Mirage OS provides with the needed 
flexibility in deployment and management. In particular, 
thanks to Mirage OS, unikernels can be compiled and run 
against any environment such as a personal computer, cus¬ 
tom open-source hardware and cloud. Most importantly. 


unikernels can be programmed with internal logic to ensure 
that users’ policies will be respected. Once a requester au¬ 
thenticates against the IR service, hosted on a unikernel, 
another unikernel is spun off containing information subset 
(in an immutable view) to which the requester has access. 
The requester will essentially interact with IR service spe¬ 
cially “designed” for him. 
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